Hbinject.exe, hbmhly. dll, sys07003.dll, zsqf. dll, ytfa. dll, ytfb. dll, ytfc. dll, etc.
Original endurer
Version 1st
Yesterday, a friend said that he opened a flash file on the Internet. The Flash Player encountered an error and the computer lost its response. After the computer was forced to restart, Rising's monitoring umbrella did not show it, and the computer responded slowly. Please try again.
Pe_xscan is used to scan logs. The scanning process and module speed is too slow. Only the first several processes are scanned and forced to be transferred to the subsequent scanning. The analysis shows the following suspicious items:
Pe_xscan 08-08-01 by Purple endurer
Windows XP Service Pack 2 (5.1.2600)
MSIE: 6.0.2900.2180
Administrator user group
Normal Mode
[System Process] * 0
C:/WINDOWS/system32/zsqf.dll | 2008-8-6 1:9:3
C:/WINDOWS/system32/loanoltrd.dll | 1601-1-1 23:8:48
C:/WINDOWS/system32/dgsfgdljv.dll | 2008-8-5 3:41:20 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Advanced Windows 32 Base API | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | advapi32.dll | advapi32.dll
C:/WINDOWS/system32/pserspxvh.dll | 2008-8-5 3:41:21 | Microsoft(R) Windows(R) Operating System | 5.1.2600.3119 | Windows NT BASE API Client DLL | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301) | Microsoft Corporation| ? | kernel32 | kernel32
C:/Program Files/Internet Explorer/PLUGINS/Windows64.Sys | 2008-8-5 3:51:44
C:/WINDOWS/system32/imgutilhx2.dll | 2008-8-6 10:25:9
C:/WINDOWS/system32/avicapwm.dll | 2001-8-6 1:10:43
C:/WINDOWS/system32/bootvidgj.dll | 2008-8-6 1:8:45
C:/WINDOWS/system32/dispexcb.dll | 2008-8-5 3:47:54
C:/WINDOWS/system32/certmgrkd.dll | 2008-8-6 1:8:5
C:/WINDOWS/system32/cliconfgzx.dll | 2008-8-5 3:47:16
C:/WINDOWS/system32/lweurqhx.dll | 2008-8-5 6:2:43
C:/WINDOWS/system32/adsntzt.dll | 2008-8-5 3:45:18
C:/WINDOWS/system32/mstimewd.dll | 2001-8-6 1:5:51
C:/WINDOWS/system32/zrzixfvu.dll | 2008-8-6 19:30:27
C:/WINDOWS/system32/dpvvoxmh.dll | 2008-8-6 1:3:55
C:/WINDOWS/system32/ddserh.dll | 2008-8-5 6:2:5
C:/WINDOWS/system32/fmcvxy.dll | 2008-8-5 3:51:24
C:/WINDOWS/system32/wzcfsw.dll | 2008-8-5 6:1:7
C:/WINDOWS/system32/tdfhex.dll | 2008-8-6 13:57:42
C:/WINDOWS/system32/jfrwdh.dll | 2008-8-5 6:7:31
C:/WINDOWS/system32/pedadt.dll | 2008-8-5 6:5:56
C:/Program Files/Internet Explorer/IEXPLORE32.Sys | 2008-8-5 7:51:36
C:/WINDOWS/System32/csrss.exe* 512 | 2004-8-17 4:0:0 | Microsoft? Windows? Operating System | 5.1.2600.2180 | Client Server Runtime Process | ? Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | CSRSS.Exe | CSRSS.Exe
C:/WINDOWS/system32/gdipro.dll | 2004-8-17 4:0:0
C:/WINDOWS/system32/sys07003.dll | 2004-8-17 4:0:0
C:/WINDOWS/System32/winlogon.exe* 536 | 2004-8-17 4:0:0 | Microsoft(R) Windows(R) Operating System | 5.1.2600.2180 | Windows NT Logon Application | (C) Microsoft Corporation. All rights reserved. | 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Microsoft Corporation| ? | winlogon | WINLOGON.EXE
C:/WINDOWS/system32/zsqf.dll | 2008-8-6 1:9:3
O2 - BHO - {D47A61B8-0EAB-417F-8DF4-5C949982A2AF} = C:/Program Files/Internet Explorer/PLUGINS/Windows64.Sys | 2008-8-5 3:51:44
O2 - BHO - {E6C0D0E3-9E9A-489D-AE19-BBCFC7047A59} = C:/Program Files/Internet Explorer/IEXPLORE32.Sys | 2008-8-5 7:51:36
O4 - HKLM/../Run: [HBService] C:/WINDOWS/system32/HBInject.exe
O20 - AppInit_DLLs = zsqf.dll ,ytfa.dll,ytfb.dll,ytfc.dll
O24 - ShlExecHook: [] - {2876D76C-CAAA-4313-AF97-8D1D9A2A1087} = C:/WINDOWS/system32/dpvvoxmh.dll | 2008-8-6 1:3:55
O24 - ShlExecHook: [] - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} = C:/WINDOWS/system32/zrzixfvu.dll | 2008-8-6 19:30:27
O24 - ShlExecHook: [] - {00180018-0018-0018-0018-00180018BB15} = C:/WINDOWS/system32/mstimewd.dll | 2001-8-6 1:5:51
O24 - ShlExecHook: [] - {E0F3526A-4165-4589-80CD-50B6FBAC3BDA} = C:/WINDOWS/system32/adsntzt.dll | 2008-8-5 3:45:18
O24 - ShlExecHook: [] - {71A78CD4-E470-4a18-8457-E0E0283DD507} = C:/WINDOWS/system32/lweurqhx.dll | 2008-8-5 6:2:43
O24 - ShlExecHook: [] - {898E02AB-9372-4a2c-9C4A-FFE1AF61097F} = C:/WINDOWS/system32/comuidsg.dll
O24 - ShlExecHook: [] - {7A6DF30E-D0F2-446f-B4F0-BF4232D60E07} = C:/WINDOWS/system32/cliconfgzx.dll | 2008-8-5 3:47:16
O24 - ShlExecHook: [] - {9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5} = C:/WINDOWS/system32/certmgrkd.dll | 2008-8-6 1:8:5
O24 - ShlExecHook: [] - {76D44356-B494-443a-BEDC-AA68DE4255E6} = C:/WINDOWS/system32/dispexcb.dll | 2008-8-5 3:47:54
O24 - ShlExecHook: [] - {D3112B69-A745-4805-874E-ABD480EA1299} = C:/WINDOWS/system32/bootvidgj.dll | 2008-8-6 1:8:45
O24 - ShlExecHook: [] - {00020002-0002-0002-0002-00020002BB15} = C:/WINDOWS/system32/avicapwm.dll | 2001-8-6 1:10:43
O24 - ShlExecHook: [MICROSOFT] - {73AE86E6-7F03-4C3B-8980-FB1DA157D3C7} = C:/WINDOWS/system32/fmcvxy.dll | 2008-8-5 3:51:24
O24 - ShlExecHook: [] - {D47A61B8-0EAB-417F-8DF4-5C949982A2AF} = C:/Program Files/Internet Explorer/PLUGINS/Windows64.Sys | 2008-8-5 3:51:44
O24 - ShlExecHook: [MICROSOFT] - {8C41B7F7-3168-400D-A702-0E7EFE0BA304} = C:/WINDOWS/system32/sgdewg.dll
O24 - ShlExecHook: [] - {E6C0D0E3-9E9A-489D-AE19-BBCFC7047A59} = C:/Program Files/Internet Explorer/IEXPLORE32.Sys | 2008-8-5 7:51:36
O24 - ShlExecHook: [] - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} = C:/WINDOWS/system32/avicapwm.dll | 2001-8-6 1:10:43
O24 - ShlExecHook: [] - {00300030-0030-0030-0030-00300030BB15} = C:/WINDOWS/system32/imgutilhx2.dll | 2008-8-6 10:25:9
O24 - ShlExecHook: [MICROSOFT] - {841529CB-7F77-4B99-A895-B5441E0D302F} = C:/WINDOWS/system32/jfrwdh.dll | 2008-8-5 6:7:31
O24 - ShlExecHook: [MICROSOFT] - {0B846B26-BFE6-4E8E-A948-1DB17B77B483} = C:/WINDOWS/system32/tdfhex.dll | 2008-8-6 13:57:42
O24 - ShlExecHook: [MICROSOFT] - {5E907A48-400E-4EA8-9792-FFAE052D59E9} = C:/WINDOWS/system32/pedadt.dll | 2008-8-5 6:5:56
O24 - ShlExecHook: [MICROSOFT] - {A9895933-6636-4281-BC58-EE6DE2AF96E3} = C:/WINDOWS/system32/ddserh.dll | 2008-8-5 6:2:5
O24 - ShlExecHook: [MICROSOFT] - {28766E1C-74B0-4417-8C75-F12AE309EF35} = C:/WINDOWS/system32/wzcfsw.dll | 2008-8-5 6:1:7
O29 - HKCU-Start Page = hxxp://tb.9533.com/
O29 - HKCU-Search Page = hxxp://www.aogo.net
ToHttp://purpleendurer.ys168.comWhen fileinfo is downloaded, the file information is displayed. The bat_do package is not downloaded.
Download drweb cureit! Scanning, even going home ~
Some malicious file information is attached:
File Description: C:/Windows/system32/hbinject.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 8:53:52
Size: 2560 bytes, 2.512 KB
MD5: 537eb9dd599a5ebf44e99d4f086797ba
Sha1: f38a1ee9d9ec4019a4b8da-32c95dbbb005902aa
CRC32: c54019a1
File Description: C:/Windows/system32/hbmhly. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 19456 bytes, 19.0 KB
MD5: 32854f7d75d25de0b736685c02109604
Sha1: f2e770f9a9cb2c5a0b837baf6dc7434efb244acb
CRC32: 308f0a98
Kaspersky Report: Trojan-GameThief.Win32.OnLineGames.soak, rising for Trojan. psw. win32.xyonline. agq
File Description: C:/Windows/system32/zsqf. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 18:56:24
Size: 3697 bytes, 3.625 KB
MD5: b987c23754c477aab3418a88f546b380
Sha1: d71a72e80227b593bcc393ac15ae2c8c50432646
CRC32: 3b94ffe7
File Description: C:/Windows/system32/dgsfgdljv. dll
Attribute: ---
Digital Signature: Microsoft Corporation
PE file: Yes
Language: Chinese (China)
File version: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Description: advanced windows 32 base API
Copyright: (c) Microsoft Corporation. All rights reserved.
Product Version: 5.1.2600.2180
Product Name: Microsoft (r) Windows (r) Operating System
Company Name: Microsoft Corporation
Internal name: advapi32.dll
Source File Name: advapi32.dll
Creation Time: 11:41:20
Modification time:
Size: 674304 bytes, 658.512 KB
MD5: 7a6ba833851cf17f32fab3bfba62da75
Sha1: 769518238168f0d8a439678e59c8a4d865e0068a
CRC32: 3a2ed038
File Description: C:/Windows/system32/pserspxvl. dll
Attribute: ---
Digital Signature: Microsoft Corporation
PE file: Yes
Language: Chinese (China)
File version: 5.1.2600.3119 (xpsp_sp2_gdr.070416-1301)
Description: Windows NT base API client DLL
Copyright: (c) Microsoft Corporation. All rights reserved.
Product Version: 5.1.2600.3119
Product Name: Microsoft (r) Windows (r) Operating System
Company Name: Microsoft Corporation
Internal name: Kernel32
Source File Name: Kernel32
Creation Time: 11:41:21
Modification time: 23:54:26
Size: 1145344 bytes 1.94 MB
MD5: ec8a0d03d78ffa7fee94a6f2d8719c49
Sha1: 46e5861696952d70f1898c61e10a7aeeab4c80b9
CRC32: 1cc8fa13
File Description: C:/program files/Internet Explorer/plugins/windows64.sys
Property: ash-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 11:51:44
Modification time: 11:51:46
Size: 48254 bytes, 47.126 KB
MD5: 06c10ec61c7c16c469d6982dc548fe63
Sha1: 153d5cda-a6e00e1bfdbb6338fc5db4e7ea959a6
CRC32: da52a33c
File Description: C:/Windows/system32/imgutilhx2.dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 18:25:12
Size: 758420 bytes, 740.660 KB
MD5: 715e67d849389f7dc124bf3e2cbc20e0
Sha1: aa438e0a81cbe01f988261a219ff882f2621315f
CRC32: 6aac8025
File Description: C:/Windows/system32/avicapwm. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 9:10:43
Modification time: 9:10:44
Size: 664492 bytes, 648.940 KB
MD5: 316f2e38ebbcbc52547a7673d9642f4a
Sha1: b1a0242565cd7a%c8e972afbf5b3deb91ebdc2
CRC32: 194730f7
File Description: C:/Windows/system32/bootvidgj. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 770476 bytes, 752.428 KB
MD5: 30aab4854cbe72a24921af925c36a57d
Sha1: 7a7e1c5f3396594dac1675dfce1f94290b11ffb4
CRC32: 7083c718
File Description: C:/Windows/system32/dispexcb. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 11:47:54
Modification time: 11:47:56
Size: 736172 bytes, 718.940 KB
MD5: 25f2d8c99b7f63505beb4e9aca0e11ff
Sha1: 1713b36d85bddadba471d474587ca90d8d5e68ee
CRC32: 857e0fb0
File Description: C:/Windows/system32/certmgrkd. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 592812 bytes, 578.940 KB
MD5: 3e57ddab0a48176d24c223fb17d8dac6
Sha1: cb25d9bd04259a4f308c363611dd72770515fbd0
CRC32: aea63e75
File Description: C:/Windows/system32/cliconfgzx. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 11:47:16
Modification time: 11:47:18
Size: 597140 bytes, 583.148 KB
MD5: cb03143c0aad44158173e961257e2143
Sha1: b7acf24a353856560301c5adef4b1ee7b23a267c
CRC32: ce099276
File Description: C:/Windows/system32/lweurqhx. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 877484 bytes, 856.940 KB
MD5: a67981100837403f7730c3b5146d9fc1
Sha1: e9b6a4683c45adc08d92ff6a405af6c84f92ba22
CRC32: 853e5cf3
File Description: C:/Windows/system32/adsntzt. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 11:45:18
Modification time: 11:45:20
Size: 575776 bytes, 562.288 KB
MD5: 0cc77e6125270573dbc651b84fedf227
Sha1: a6b1da5644e34582d868e38fedad9e429cbf3219
CRC32: fdf40ca7
File Description: C:/Windows/system32/mstimewd. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 923796 bytes, 902.148 KB
MD5: d5b5f221ec9deea02e62a7fd49fb8114
Sha1: f20a034479a4b0f384df86c34ce6e42aa457de14
CRC32: 49cf02ba
File Description: C:/Windows/system32/zrzixfvu. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 3:30:27
Modification time: 3:30:28
Size: 634144 bytes, 619.288 KB
MD5: b80e0faf08998b9949e34be0fcb2384e
Sha1: 60cf55f75dab1b082ecd6268470cdcaa6400dd83
CRC32: a36f4529
File Description: C:/Windows/system32/dpvvoxmh. dll
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 613012 bytes, 598.660 KB
MD5: ad114bff5eaa15c080c6bfe99c09294f
Sha1: 3efe49fef9fa1c5aa218d599c678273b548b48ed
CRC32: ea6125df
File Description: C:/Windows/system32/ddserh. dll
Properties: A-H-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 272384 bytes, 266.0 KB
MD5: 52e3c4725521a3e3ea829da26e116235
Sha1: 1847bad27c06089522e796f722e80dd0073d1660
CRC32: f4e1c33c
File Description: C:/Windows/system32/fmcvxy. dll
Properties: A-H-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 11:51:24
Modification time:
Size: 240128 bytes, 234.512 KB
MD5: 790ec7691705abdb785147c891b8ed04
Sha1: 24129ce2b43647aa6820dd7fc16a7828a22fd1a7
CRC32: 592f5bb9
File Description: C:/Windows/system32/wzcfsw. dll
Properties: A-H-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 265216 bytes, 259.0 KB
MD5: 4afb3b97b7fa0bc28afffce5ca41dd06
Sha1: 07c34480f94d44e0357f99b51f40661db1744b9e
CRC32: 5c616ee2
File Description: C:/Windows/system32/tdfhex. dll
Properties: A-H-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Created at: 21:57:42
Modification time:
Size: 247296 bytes, 241.512 KB
MD5: 754e11a65ce1ae5dc3df407726bb6631
Sha1: 11ac1edfb640c5bc4494c81da19b10cb74e96057
CRC32: 259f32c7
File Description: C:/Windows/system32/jfrwdh. dll
Properties: A-H-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 7:24:12
Size: 225792 bytes, 220.512 KB
MD5: 3b6e8b00bf98cc02db82703047eed27d
Sha1: 55a3bc051536a24797a4c546793eeda203c2d3f4
CRC32: e98d06b0
File Description: C:/Windows/system32/pedadt. dll
Properties: A-H-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Size: 229376 bytes, 224.0 KB
MD5: 7aa2138861e9829462ff6c9d138f8c25
Sha1: 1ec12fd6baab7a03b5d87a89614cb3ff1a834f90
CRC32: e4e6d686
File Description: C:/Windows/system32/hbinject.exe
Attribute: ---
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time:
Modification time: 8:53:52
Size: 2560 bytes, 2.512 KB
MD5: 537eb9dd599a5ebf44e99d4f086797ba
Sha1: f38a1ee9d9ec4019a4b8da-32c95dbbb005902aa
CRC32: c54019a1
File Description: C:/program files/Internet Explorer/iyune32.sys
Property: ash-
Digital Signature: No
PE file: Yes
An error occurred while obtaining the file version information!
Creation Time: 15:51:36
Modification time: 11:57:16
Size: 31370 bytes, 30.650 KB
MD5: 877b08b1b6e2efaee2479a1a0662ca17
Sha1: 6ed0d2d4082e9ff1c9db32c92588d2c130adf41e
CRC32: 0253c062